NDB allow not allowing access with valid ip

Zevrant

5/11/23, 9:01 PM

I have a nbd server setup with the following config

[generic]
    user = nbd
    group = nbd
    port = 98745
[export]
    exportname = /dev/ubuntu-vg/lv0
    authfile = /etc/nbd-server/allow

without an allow file this works flawlessly.

after adding the following allow file

10.0.0.0/24

with an ip of 10.0.0.10 i get

Negotiation: ..Error: Connection not allowed by server policy. Server said: Access denied by server configuration

and on the server

Spawned a child process
virtstyle ipliteral
connect from 10.0.0.10, assigned file is /dev/ubuntu-vg/nfs-lv
client address does not match 2/10: address family mismatch (IPv4 vs IPv6?)
message repeated 2 times: [ client address does not match 2/10: address family mismatch (IPv4 vs IPv6?)]
Client '10.0.0.10' is not authorized to access
Negotiation failed: Connection reset by peer

any thoughts? I'm stumped, as per the docs here this should work as is. to be thorough I've also added 127.0.0.1 and 10.0.0.10 to the allow file and received the same results, trying each line individually as well.

I get ip checking isn't exactly secure but if it makes things lightly more difficult for malicious actors I'd like to enable it. Please also make sure suggestions use the new style format.

151

0 + 0

linux

Score:0

Server

Matthew Dornquast

5/21/23, 3:17 PM

This just happened to me, a few newbie mistakes I figured out after trial and error:

The configuration documentation says String, but don't put it in quotes, that doesn't work.
Authfile = (Nothing to right of =) will open it up for all access.
"Connection not allowed by server policy" - this can ACTUALLY mean it does not have read permissions to file, or the file name/path of the export is incorrect.
Debugging the server is easier if you start it on command line with -d nbd-server -d -C /etc/nbd.conf so you can see any errors.

I noticed that your exported file "/dev/ubuntu-vg/lv0" doesn't match your assigned file in log "/dev/ubuntu-vg/nfs-lv"

Here is my working nbd.conf, no auth file is required as I defined it as empty. I am on version 3.21

[generic]
  allowlist = true
  listenaddr = your.ip.add.ress
[archiso]
  exportname = /z/systemrescue-9.00-i686.iso
  authfile =
  readonly = true
  port = 10809

Good luck to you!

0 + 0

Zevrant

6/6/23, 8:34 PM

fyi this is exactly what i didn't want, I want to configure the auth file with proper values

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: NDB allow not allowing access with valid ip

TH: NDB ไม่อนุญาตให้เข้าถึงด้วย ip ที่ถูกต้อง

RO: NDB permite nepermiterea accesului cu ip valid

RU: NDB позволяет не разрешать доступ с действительным ip

VI: NDB cho phép không cho phép truy cập với ip hợp lệ

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.